CVE-2024-25974: Frentix GmbH OpenOlat LMS Stored Cross-Site Scripting (XSS) Vulnerability Exploit

The Frentix GmbH OpenOlat LMS is used by educational institutions around the world to deliver digital learning content. Recently, a stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-25974) has been discovered within the Media Center of OpenOlat version 18.1.5 (or lower). By exploiting this vulnerability, it is possible for an authenticated user to upload an SVG image containing a dangerous XSS payload, which can then be shared with other users (including administrators) and potentially lead to account compromises, or even a system-wide security breach.

Exploit Details

The vulnerability in OpenOlat LMS works by bypassing normal file type validations when uploading files within the Media Center. While file types are typically limited to prevent security risks, an SVG image containing an XSS payload can bypass these checks allowing an attacker to insert malicious JavaScript code.

Here's a code snippet of a sample SVG image containing such an XSS payload

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">;
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/200/svg"; xmlns:xlink="http://www.w3.org/1999/xlink"; x="px" y="px" viewBox="  512 512" enable-background="new   512 512" xml:space="preserve">
  <script>/* <![CDATA[ */ alert('XSS payload!'); /* ]]> */</script>
</svg>

After uploading a file containing an XSS payload, the attacker can share this file with other users, including admins, who will be affected upon viewing it. The JavaScript code embedded within the uploaded SVG file will run, potentially stealing sensitive data or gaining unauthorized access to the victim's OpenOlat account.

Affected Products

Frentix GmbH OpenOlat LMS version 18.1.5 or older is affected by this vulnerability. Please note that this version was selected for our demonstration as the most vulnerable; other versions may also be susceptible, but were not tested in this process.

Solution and Mitigations

To mitigate this issue, Frentix GmbH has released patches for OpenOlat LMS. It is strongly recommended to upgrade to the latest version of OpenOlat to address this vulnerability (OpenOlat v18.2. or higher). Visit the official OpenOlat GitHub repository for more information on the latest releases: OpenOlat Releases

Additionally, administrators should review uploaded content for malicious code and remove any suspicious files from the Media Center. Utilizing a content security policy (CSP) and XSS protection filters in the application and web browsers can further mitigate this vulnerability.

In summary, the stored XSS vulnerability in Frentix GmbH OpenOlat LMS (CVE-2024-25974) has the potential to cause account compromises and security breaches, making it crucial for educational institutions using this system to promptly apply the necessary patches and mitigation strategies. Stay vigilant, stay secure!

References

1. CVE-2024-25974 (National Vulnerability Database): https://nvd.nist.gov/vuln/detail/CVE-2024-25974
2. OpenOlat LMS Official Website: https://www.openolat.com/
3. OpenOlat LMS GitHub Repository: https://github.com/OpenOLAT/OpenOLAT
4. OWASP: Preventing XSS Vulnerabilities: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Timeline

Published on: 02/20/2024 08:15:07 UTC
Last modified on: 02/21/2024 07:15:58 UTC